THE MORDELL-WEIL SIEVE: PROVING NON-EXISTENCE 
OF RATIONAL POINTS ON CURVES 



NILS BRUIN AND MICHAEL STOLL 

Abstract. We discuss the Mordell-Weil sieve as a general technique for prov- 
ing results concerning rational points on a given curve. In the special case of 
curves of genus 2, we describe quite explicitly how the relevant local information 
can be obtained if one does not want to restrict to mod p information at primes 
of good reduction. We describe our implementation of the Mordell-Weil sieve 
algorithm and discuss its efficiency. 



1. Introduction 

The Mordell-Weil Sieve uses knowledge about the Mordell-Weil group of the Ja- 
cobian variety of a curve, together with local information (obtained by reduction 
mod p, say, for many primes p), in order to obtain strong results on the rational 
points on the curve. 

The most obvious application that also provided the original motivation for this 
work is the possibility to verify that a given curve does not have any rational 
points. This is done by deriving a contradiction from the various bits of local 
information, using the global constraint that a rational point on the curve maps 
into the Mordell-Weil group. This idea is simple enough (see Section 2), but its 
implementation in form of an algorithm that runs in reasonable time on a com- 
puter is not completely straightforward. The relevant algorithms are discussed 
in Section 3, and our concrete implementation is described in Section 7. Sec- 
tion 8 contains a discussion of the efficiency of the implementation and gives some 
timings. 

The idea of using this kind of 'Mordell-Weil sieve' computation to prove that 
a given curve does not have rational points appears for the first time in Scha- 
raschkin's thesis [Sc], who used it in a few examples involving twists of the Fermat 
quartic. It was then taken up by Flynn [F12] in a more systematic study of 
genus 2 curves; his selection of examples was somewhat biased, however (in fa- 
vor of curves he was able to compute with). In our 'small curves' project [BSl] 

Date: November 11, 2009. 

2000 Mathematics Subject Classification. 11D41, 11G30, 11Y50 (Primary); 14G05, 14G25, 
14H25, 14H45, 14Q05 (Secondary). 

Research of the first author supported by NSERC. 



THE MORDELL-WEIL SIEVE 



2 



we applied the procedure systematically and successfully to all genus 2 curves 
y"^ = + ■ ■ ■ + fix + fo with fi G {—3, —2, —1, 0, 1, 2, 3} that do not possess 
rational points. 

In this situation, it is not strictly necessary to know a full generating set of the 
Mordell-Weil group. It is sufficient to know generators of a finite-index subgroup 
such that the index is coprime to a certain set of primes. This can be checked 
again by using only local information. In fact the necessary information usually is 
part of the input for the sieve procedure. This remark is relevant, since one needs 
to be able to compute canonical heights and to enumerate points on the Jacobian 
up to a given bound for the canonical height if one wants to obtain generators for 
the full Mordell-Weil group. The necessary algorithms are currently only available 
for curves of genus 2, see [Stl, St3]. We can still use the Mordell-Weil sieve to 
show that there are no rational points on a given curve, even when the genus is 
> 3. Of course, we still need to know the Mordell-Weil rank and the right number 
of independent points. See [PSS] for an example where this is applied with a curve 
of genus 3 to show that there are no rational points satisfying certain congruence 
conditions. 

The approach can be modified so that it can be used to verify that there are no 
rational points satisfying a given set of congruence conditions or mapping into a 
certain coset in the Mordell-Weil group. This is what was used in [PSS]. If we 
can show in addition in some way that in each of the cosets or residue classes 
considered, there can be at most one rational point, then this provides a way of 
determining the set of rational points on the curve. Namely, if a given coset or 
residue class contains a rational point, then we will eventually find it, and we then 
also know that there are no other rational points in this coset or class. And if 
there is no rational point in this coset or residue class, then we can hope to verify 
this by an application of the Mordell-Weil Sieve. In this situation, the remark we 
made above that it is sufficient to know a finite-index subgroup still applies. 

There is one case where we can actually prove that, for a suitable choice of prime p, 
no residue class mod p on the curve can contain more than one rational point. This 
is the 'Chabauty situation', when the Mordell-Weil rank is less than the genus. 
We can (hope to) find a suitable p, and then we can (hope to) determine the 
rational points on our curve as outlined above. This yields a procedure whose 
termination is not (yet) guaranteed, since it relies on some conjectures. However, 
the procedure is correct: if it terminates, and it has done so in all examples we 
tried, then it gives the exact set of rational points on the curve. In the Chabauty 
context, the sieving idea has already been used in [^-^"] to rule out rational points 
in certain cosets. See also [PSS] for some more examples and [Br] for an example 
that uses 'deep' information. 
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Even when the rank is too large to apply the idea we just mentioned, the sieve can 
still be used in order to show that any rational point on the curve that we have 
not found so far must be astronomically huge. This provides at least some kind 
of moral certainty that there are no other points. In conjunction with (equally 
huge) explicit bounds for the size of integral points, this allows us to show that 
we know at least all the integral points on our curve, see [BMSST]. For this 
application, however, we really need to know the full Mordell-Weil group, so with 
current technology, this is restricted to curves of genus 2. 

We discuss these various applications in some detail in Section 4. 

In Sections 5 and 6, we discuss how to extract local information that can be used 
for the sieve, when we do not want to restrict ourselves to just information mod p 
for primes p of good reduction. In these sections, we assume that the curve is of 
genus 2 and that we are working over Q. 

As to the theoretical background, we remark here that under a mild finiteness 
assumption on the Shafarevich-Tate group of the curve's Jacobian variety, the 
information that can be obtained via the Mordell-Weil sieve is equivalent to the 
Brauer-Manin obstruction, see [Sc] or [St5]. 

Acknowledgments. We would like to thank Victor Flynn and Bjorn Poonen for 
useful discussions related to our project. Further thanks go to the anonymous 
referee for some helpful remarks. For the computations, the MAGMA [^ '] system 
was used. 

2. The idea 

Let C/Q be a smooth projective curve of genus g > 2 with Jacobian variety J. 
(In [St6, St7], we consider more generally a subvariety of an abelian variety. The 
idea is the same, however.) 

Our goal is to show that a given curve C/Q does not have rational points. For this, 
we consider the following commuting diagram, where v runs through the (finite 
and infinite) places of Q. 




V V 

We assume that we know an embedding l : C ^ J defined over Q (i.e., we know 
a Q-rational divisor class of degree 1 on C) and that we know generators of the 
Mordell-Weil group J(Q). If C(Q) is empty, then the images of a and the lower l 
are disjoint, and conversely. 
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However, since the sets and groups involved are infinite, we are not able to compute 
this intersection. Therefore, we replace the groups by finite approximations. Let 
5* be a finite set of places of Q and let > 1 be an integer. Then we consider 

CiQ) J(Q)/iVJ(Q) 

a 

n c{Q,) n j{Qv)/Nj{Q,) 

Under the assumptions made, we now can compute the images of a and of f3 and 
check if they are disjoint. If C(Q) = 0, then according to the Main Conjecture 
of [St5] and the heuristic given in [Po], the two images should be disjoint when 
S and are large enough. Note that (as shown in [^^^^]) the two images will 
be disjoint for some choice of S and if and only if Yl^ '•(C(Qu)) does not meet 
the topological closure of J(Q) in Hp ^(Qp) x J(M)/J(M)°, where J(M)° denotes 
the connected component of the origin. This is a stronger condition than the 
requirement that n^''(^(Qi')) misses the image of J(Q). The conjecture claims 
that both statements are in fact equivalent. 

As a further simplification, we can just use a set S of primes of good reduction 
and replace the above diagram by the following simpler one: 

cm — ^ jm/NJiQ) 

a 

n C{¥,) n J{¥,)/NJ{¥,) 

pes pes 

Poonen originally formulated his heuristic for this case. However, in practice it 
appears to be worthwhile to also use 'bad' information (coming from primes of bad 
reduction) and 'deep' information (involving parts of the kernel of reduction) in 
order to keep the running time of the actual sieve computation within reasonable 
limits. In Sections 5 and 6 below, we show how to obtain this kind of information 
for curves of genus 2 over Q. 

3. Algorithms 

In the following, we assume that we are using the simpler version involving only 
reduction mod p, as described at the end of Section 2. 

Let r denote the rank of the Mordell-Weil group J(Q). For a given set S and 
parameter A^, denote by A{S,N) C J{Q)/NJ{Q) the subset of elements mapping 
into the image of C{¥p) in J{¥p)/NJ{¥p) for all p G 5, in symbols: 

A{S, N) = {ae J{Q)/NJ{Q) : a{a) G im(/3^,p) for all p e S} 
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Here, pN,p ■ C{¥p) J{¥p)/NJ(¥p) denotes the composition of l : C(¥p) J(Fp) 
and the canonical epimorphism J(¥p) J(¥p)/NJ(¥p). 

The procedure sphts into three parts. 

(1) Choice of S 

In the first step, we have to choose a set S of primes such that we can be 
reasonably certain that the combined information obtained from reduction 
mod p for all p & S is sufficient to give a contradiction (or, more generally, 
to have A{S, N) equal to the image of C(Q), for suitable N). In Section 3.1, 
we explain a criterion that tells us if S is likely to be good for our purposes. 
The actual computation of the relevant local information is also part of this 
step. For each prime p G S", we find the abstract finite abelian group G'^ 
representing J(¥p) (or some other finite quotient of J(Qp)) and the image 
X'p C G'p of L : C(¥p) — > J(¥p). We also compute the homomorphism 
(pp : J(Q) — > G'p. We write Gp for the image of 0p and denote Xp = X'^nGp. 

In what follows below, we will use jj^Xp/jj^Gp as a measure for how much 
information about rational points on G can be obtained at p. Note that it is 
possible that Gp C Xp C G'p. In that case, jj^X'^/jj^G'p < 1, but no element 
of the Mordell-Weil group can be ruled out from coming from C(Q), based 
on the information at p. If we were to use this quantity, we would obtain 
erroneous estimates in the second step. This can then lead to huge sets 
A{S, N) in the third step and even to a failure of the computation. 

(2) Choice of N 

In the second step, we fix a target value of N and determine a way to 
compute A{S, N) efficiently. We do that by finding an ordered factoriza- 
tion N = qiq2 ■ • ■ q-m such that none of the intermediate sets A{S, qi - ■ ■ qu) 
becomes too large. This is explained in Section 3.2. 

(3) Computation of A{S, N) 

Finally, we have to actually compute ^4(5*, N) in a reasonably efficient way. 
We explain in Section 3.3 how this can be done. 

The last two steps can be considered independently from the Mordell-Weil sieve 
context. Basically, we need a procedure that, given a finite family of surjective 
group homomorphisms 0j : F — Gj and subsets Xj C Gj, (for i E I) attempts 
to prove that for every a G F there is some i G / such that 0i(ci) ^ Xj. Here F 
is a finitely generated abelian group and the Gi are finite abelian groups. In our 
application, F is the Mordell-Weil group, the index set is S", Gp is the image of 
J(Q) in J(Fp), and Xp = L{G{¥p)) n Gp. 

We give some more details on our actual implementation in Section 7. 
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3.1. Choice of S. The first task of the algorithm is to come up with a suitable 
set S of places. We will restrict to finite places (i.e., primes), but in principle, one 
could also include information at infinity, which would mean to consider the con- 
nected components of J(]R) which meet the image of C(]R) under the embedding t. 

It is clear that the only possibility to get some interaction between the information 
at various primes p (and eventually a contradiction) is when the various group 
orders ^J{¥p) have common factors. This is certainly more likely when these 
common factors are relatively small. We therefore look for primes p (of good 
reduction) such that the group order ^J{¥p) is S-smooth (i.e., with all prime 
divisors < B) for some fixed value of B; in practice, values like B = 100 or 
B = 200 lead to good results. 

For each such prime, we compute the group structure of J(Fp), i.e., an abstract 
finite abelian group G'p together with an explicit isomorphism J(Fp) = G^. We also 
compute the images of the generators of J(Q) in G'^ and the image of C(¥p) in G^. 
In order to do that, we need to solve roughly p discrete logarithm problems in G'p. 
Since Gp has smooth order, we can use Pohlig-Hellman reduction [i ' M] to reduce to 
a number of small discrete log problems. Therefore, this part of the computation 
is essentially linear in p in practice. We do need to compute reasonably efficiently 
in J(Fp), though. If C is a curve of genus 2, Cantor reduction [Ca] gives us a 
way to do that. To fix notation, let W denote an effective canonical divisor on C. 
Cantor reduction takes as input a degree divisor in the form D — dW, where D 
is an effective divisor of degree 2d, and computes a unique divisor Do of degree 2 
such that 

[D - dW] = [Do - W] , 

with the convention that if D — dW is principal, then Do = W. Adding two divisor 
classes represented as [Di — W] and [D2 — W] can be accomplished by feeding the 
divisor {Di + D2) — 2W into the reduction algorithm. 

Cantor reduction also allows us to map elements from C{¥p) into J{¥p). If l is 
given by a rational base point Pq G C(Q), i.e., l{P) = [P — Po], and Pq is the 
reduction of Pq modulo p, then for each P G C(¥p), we have l{P) = [P + Pq — W], 
where Pq is the hyperelliptic involute of Pq- In this case, we already get t{P) as 
a reduced divisor class. Otherwise, l is given by t(P) = [P — D3 + W], where 
D^ is a rational effective divisor of degree 3. Then we can compute a reduced 
representative of l{P) by performing Cantor reduction on (P + D'^) — 2W. 

As mentioned above, we finally replace G'p by Gp = 0p(J(Q)), and we let Cp be 
the intersection of the image of C(¥p) in G'p with Gp. We then use (pp to denote 
the surjective homomorphism 0p : J(Q) Gp. 

In order to determine whether we have collected enough primes, we compute the 
expected size of the set A{S, N), where S is the set of all p collected so far and N 
is a suitable value as specified below. We follow Poonen [Po] and assume that the 
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images of the C (Fp) in J(Fp) are random and independent for the various p. This 
leads to the expected value 



where Cm,p is the image of Cp in Gp/NGp. 

In principle, we would like to find the value of N that minimizes n{S, N) for the 
given set S. However, this would lead to much too involved a computation. We 
therefore propose to proceed as follows. Write 



where Nj divides Nj^i (j = 1, 2, — 1). Then we take = Ni_r-i-j for 
j = 0, 1, 2, 3 as values that are likely to produce a small n{S, N). The reason for 
this choice is the following. Usually the target groups will be essentially cyclic, 
and the kernel of the homomorphism J(Q) — >■ J{^p) will be a random subgroup 
of index #J(Fp) and more or less cyclic quotient. If we take a prime number q 
for and the Mordell-Weil rank is r, then we obtain a random codimension 
one subspace of F^. Unless q is very small, it will be rather unlikely that these 
subspaces intersect in a nontrivial way, unless there are more than r of them. So 
for every prime power dividing our A^, we want to have more than r factors in the 
product above that have order divisible by the prime power. So we should restrict 
to divisors of Ni^r-i- Taking Ni_r-i-j with j > 0, we make sure to get even more 
independent factors. 

By the same token, any subgroup L C J(Q) such that we can expect to get 
sufficient information on the image of C(Q) in J(Q)/L will be very close to NJ[Q) 
for some N: as soon as the various bits of information interact, we will have 
exhausted all "directions" in the dual of J{Q)/NJ{Q), and the intersection of the 
kernels of the relevant maps will be close to NJ{Q). This also explains why our 
approach to the computation of A{S, N), which we describe below in Section 3.3, 
works quite well. 

Note that by taking S (and perhaps also B) large, we will get large values for the 
number I of factors. Once / ^ r, the image of the Mordell-Weil group J(Q) in 
this product will be rather small, so that we can expect it to eventually miss the 
image of the curve. Poonen's heuristic [Po] makes this argument precise. 

We continue collecting primes into S until we find a sufficiently small n{S, N). In 
practice, it appears that n{S, N) < e = 10~^ is sufficient. Note that if the final 
sieve computation is unsuccessful (and does not lead to the discovery of a rational 
point on C), then we can enlarge S until n{S,N) gets sufficiently smaller and 
repeat the sieve computation. 



n 



(5,Ar) = #(j(Q)/iVJ(Q))n 




i^{Gp/NGp) 



Yl ^(Fp) = Z/iViZ X Z/iVaZ x ■ ■ ■ x Z/iV^Z 



pes 
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3.2. Choice of N. Once S is chosen and the relevant information is computed, 
we can forget about the original context and consider the following more abstract 
situation. 

We are given a finitely generated abstract abelian group F of rank r, together with 
a finite family {Gi, (pi, of triples, where Gi is a finite abstract abelian group, 

0i : r — > is a surjcctive homomorphism, and C Gj is a subset. In practice, 
r and the Gi arc given as a product of cyclic groups, (pi is given by the images of 
the generators of F, and Xi is given by enumerating its elements. The following 
definition generalizes A{S, N). 

Definition 3.1. Let L C F be a subgroup of finite index. We set Gi^i = Gi/(pi{L), 
write j for the image of Xj in GL,i, and denote by (pL^i the induced homomor- 
phism T/L —>■ Gla- We define 

A{L) {7 e F/L : 0i,,(7) e X^,, for all i e /} 

and its expected size 

n(L) = #(r/L)n|§f^. 

iei 

Now the task is as follows. 
Problem 3.2. 

(1) Find a number N such that A^NT) has a good chance of being empty and 
such that A{NT) can be computed efficiently. 

(2) Compute A{Nr). 

In our application, F = J(Q), I = S, and for p G S, Gp and (pp are as before, and 
Xp — Cp. 

Since we may have to take A'^ fairly large (N ^ 10^ is not uncommon, and values 
f» 10^^ or even ^ 10^°*^ do occur in practice in our applications), it would not be a 
good idea to enumerate the (roughly N"^) elements of T/NT and check for each of 
them whether it satisfies the conditions. Instead, we build up N multiplicatively 
in stages: we compute A{NjT) successively for a sequence of values 

No = 1, Xi = gi, X2 = Xig2, X3 = N2q3, N„, = Kn-iQu. = N 

where the are the prime divisors of X. We want to choose the sequence (g^) 
(and therefore X) in such a way that the intermediate sets A(XfcF) are likely to be 
small. For this, we use again the expected size n(XfeF) of A(XjfcF). By a best- first 
search, we find the sequence {qk)k=i,...,m such that 

(i) n((]J^-,^ ?fe)r) is less than a target value £1 < 1 (for example, 0.1), and 

(ii) max|n(XjfcF) : < A; < m} is minimal (where X^ = 11^=1 Qj)- 
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From the first step, which provides the input, we can deduce a number M (usually 
M — Ni-i-r-j for some small value of j, in the notation used above) such that 
all reasonable choices for N should divide M. The following procedure returns a 
suitable sequence (gi, . . . , g^)- 



FindQSequence: 

c := {(0,1,1.0)} // is an empty sequence oi qk, 1 is N, 1.0 is n{NT) 
while c 7^ 0: 

{s,N,n) :— triple in c with minimal n 

remove this triple from c 

if n < // success? 

return s 

end if 

/ / compute the possible extensions of s and add them to the list 
c :— cL) { (append(s, q), Nq, n{Nqr)) : q prime, Nq \ M} 
end while 

// if we leave the while loop here, the target was not reached 
return 'failure' 



When we extend c, we can restrict to the triples (s', N', n') such that A^' does not 
occur as the second component of a triple already in c. (Since in this case, we 
have already found a 'better' sequence leading to this N'.) 

If the information given by (Gi,<pi,Xi)i^i is sufficient (as determined in the first 
step), then this procedure usually does not take much time (compared to the 
computation of the 'local information' like the image of C(Fp) in J(Fp)). In any 
case, if we made sure in the first step that there is some M such that n{MT) < £1, 
then FindQSequence will not fail. 

In this step and also in the first step, it is a good idea to keep the orders of the 
cyclic factors of the groups Gi and the numbers in factored form, and only 
convert the greatest common divisors of N with the relevant group orders into 
actual integers. 

3.3. Computation of A{NT). Now we have fixed the sequence {qk)j=\,...,m of 
primes whose product is N . In the last part of the algorithm, we have to compute 
the set A{NT) (and hope to find that it is empty or sufficiently small, depending 
on the intended application). 

This is done iteratively, by successively computing A{Nk^), where = 11^=1 
We start at k = and initialize A{NoT) = A{T) = {0} C T/T. Then, assuming 
we know A{Nk_ir), we compute A{Nk'r) as follows. 
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We first find the triples {Gi,(f)i,Xi) that can possibly provide new information. 
The relevant condition is that Vq^{ei) > Vqi^{Nk), where ej is the exponent of the 
group Gi. For these i, we compute the group Gn^f,!, the image Xi\fi^T,i of Xi in 
this group and the homomorphism (pN^r^i '■ r/iVfeF — > Gis[kT,i- 

The most obvious approach now would be to take each 7 G A{Nj.^iT)^ run through 
its various lifts to V /N^T and check for each lift if it is mapped into X]si^T,i un- 
der (j)N,,r,i- The complexity of this procedure is ^A{Nk_iV) ■ ql times the average 
number of tests we have to make (we disregard possible torsion in F, which will 
not play a role once Nk-i is large enough). Unless r is very small, the procedure 
will be rather slow when the intermediate sets A{NkT) get large. 

In order to improve on this, we split the inclusion NkV C Nk-iT into several 
stages: 

Note that the quotient Nk^iT/NkT is isomorphic to {Z/q^Zy (again disregarding 
torsion in F), so we can hope to get up to r intermediate steps. We now proceed 
as follows. 



PrepareLift(A;): 
j :— 0; Lq := iV^.iF // initialize 

I' :— {i E I : Vq^{ei) > Vqi^{Nk)} / / the relevant subset of / 
while /' ^ 0: 

J := J + 1 

/ / list the possible subgroups for the next step 
A := {Lj_i n ker(0j) : i e I'} 
for L e A: 

/ / compute a measure of how 'good' each subgroup is 
n(L,_„ L) := {L,., : L) J] . , \ , 

end for 

Lj := the L G A that has the smallest n{Lj_i, L) 

1 1 record the i G /' that contribute to this step 
:= {i G /' : 0,(L,) ^ 0,(^0} 

V := {i G r : (^i{Lj) t NkGi} // update I' 
end while 
if Lj ^ NkT: 

/ / fill the remaining gap to A^^^F 

t:=j + 1; Lt := iV^F; U := 
else 
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end if 



The quantity n{Lj_i, L) that we compute in the algorithm above is the expected 
number of "offspring" that an element of A{Lj^i) generates in A{L). 

We then successively compute A{Li), . . . , A{Lt) — A{Nkr) in the same way as 
described above for the one-step procedure: 



Lift(A;): 

// note that A{Lo) = A{Nk-iT) 
for j = 1, . . . , t: 
A(Lj) := C r/Lj 
for a e A(Lj_i): 

a' := a representative of a in T/Lj 
for / e Lj_i/ Lf 

if Vi e Ij : 0L„i(a' + /) e Xl^x. 

A{L,) := A(L,)U{a' + /} 
end if 
end for 
end for 
end for 

// now A{NkV) = A{Lt) 
return 



In practice, PrepareLift and Lift together form one subroutine, whose input is 
{N, g, ^4) = {Nk^i, Qk, A{Nk-iT)) (together with the global data F and (G^, 0j, Xi)i^i) 
and whose output is A{Nqr) (with Nq — N^). 

The complexity of the lifting step is now 

t t j-i 

J2#MLj-i){Lj-i : Lj) « #A{Nk-iT)J2iL,-i : L,) J] n(L,_i, L,) . 

j=l j=l i=l 

In the worst case, we have n{Lj_i, Lj) = [Lj^i : Lj); then the second factor is 
at most ?fe + + • ■ ■ + < ^zjQk'j this is not much worse than the factor ql 
we had before. Usually, however, and in particular when N^-i is already fairly 
large, the numbers n{Lj_i, Lj) will be much smaller than (I/j-i : Lj); also we 
should have t = r and {Lj-i : Lj) = qt, so that the complexity is essentially 
^A{Nk_iT)qk. As an additional benefit, we distribute the tests we have to make 
over the intermediate steps, so that the average number of tests in the innermost 
loop will be smaller than when going directly from A^^-iF to NkT. 
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In this way, it is possible to compute these sets even when r is not very small. For 
example, in order to find the integral solutions of (2) = (5) (see [BMSST]), it was 
necessary to perform this kind of computation for a group of rank 6, and this was 
only made possible by our improvement of the lifting step. As another example, 
one of the two rank 4 curves that had to be dealt with by the Mordell-Weil sieve 
in our experiment [BSl] took the better part of a day with the implementation we 
had at the time (which was based on the "obvious approach" mentioned above). 
With the new method, this computation takes now less than 15 minutes. 

If we find that A{NkT) = for some k < m, then we stop. In the context of our 
application, this means that we have proved that C(Q) = as well. Otherwise, we 
can check to see if the remaining elements in A{Nr) actually come from rational 
points by computing the element of J(Q) of smallest height that is in the corre- 
sponding coset. It is usually a good idea to first do some more mod p checks so 
that one can be certain that the point in J(Q) really gives rise to a point in C(Q). 
If we do not find a rational point on C in this way, then we can increase S and 
decrease e and ei and repeat the computation. 

Let us also remark here that the lifting step can easily be parallelized, since we 
can compute the "offspring" of the various a e A{Nk-iT) independently. After 
the preparatory computation in PrepareLift has been done, we can split A{Nk-iT) 
into a number of subsets and give each of them to a separate thread to compute 
the resulting part of A{NkT). Then the results are collected, we check if the new 
set is empty, and if it is not, we repeat this procedure with the next lifting step. 

4. Applications 

4.1. Non-Existence of Rational Points. The main application we had in mind 
(and in fact, the motivation for developing the algorithm described in this paper) 
is in the context of our project on deciding the existence of rational points on all 
'small' genus 2 curves, see the report [BSl]. 

Out of initially about 200 000 isomorphism classes of curves, there are 1492 that 
are undecided after a search for rational points, checking for local points, and a 
2-descent [BS2]. We applied our algorithm to these curves and were able to prove 
for all of them that they do not have rational points. For some curves, we needed 
to assume the Birch and Swinnerton-Dyer conjecture for the correctness of the 
rank of the Mordell-Weil group. 

For the curves whose Jacobians have rank at most 2, we originally only used 'good' 
and 'fiat' information, i.e., groups J(Fp) for primes p of good reduction. For ranks 
3 and 4 (no higher ranks occur), we also used 'bad' and 'deep' information, as 
described in Sections 5 and 6 below. The running time of the Magma implemen- 
tation of the Mordell-Weil sieve algorithm we had at the time was about one day 
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for all 1492 curves (on a 1.7 GHz machine with 512 MB of RAM). Two thirds of 
that time was taken by one of the two rank 4 curves, and most of the remaining 
time was used for the 152 rank 3 curves. 

With the current implementation discussed in Section 7 below, the overall running 
time (now on a 2.0 GHz machine with 4 GB of RAM) is about two and a half 
hours. For a detailed discussion of the timings, see Section 8. 

4.2. Finding points. Instead of proving that no rational points on C exist, we 
can also use the Mordell-Weil sieve idea in order to find rational points on C up 
to very large height. When the rank is less than the genus, we can even combine 
the Mordell-Weil sieve with Chabauty's method in order to compute the set of 
rational points on C exactly, see Section 4.4 below. 

We want to find the rational points on C up to a certain (large) logarithmic height 
bound H. We assume that we know the height pairing matrix for the generators 
of J(Q) and a bound for the difference between naive and canonical height on J(Q). 
See [Stl, St8] for algorithms that provide these data in the case of genus 2 curves. 
From this information and the embedding C ^ J, we can then compute constants 
5 and d such that h{L{P)) < dh{P) + 5 for all P E C(Q). Here h denotes the 
canonical height on J(Q) and h denotes a suitable height function on the curve. 
The upshot of this is that h{P) < H implies h{L{P)) < H' = dH + 6. 

Note that in many cases when we want to find all rational points up to height H, 
we already know a rational point Pq on C. Then we can just use P [P — Pq] 
for the embedding l. 

We now proceed as before: we find a suitable set S of primes and a number 
and compute ^4(5", A^) C J{Q)/NJ{Q). For the purposes of this application, we 
require A^ to be divisible by the exponent of the torsion group J(Q)tors and to 
be such that A^^ > AH'/m, where m is the minimal canonical height of a non- 
torsion point in J(Q). These conditions imply that if Q,Q' G </(Q) are such that 
Q -Q' e NJ{Q) and h{Q), h{Q') < H', then Q = Q'. In other words, each coset 
of NJ{Q) in J(Q) contains at most one point of canonical height < H'. 

We do not necessarily expect A{S, N) to be empty now. However, by the preceding 
discussion, each element of A{S,N) corresponds to at most one point in C(Q) of 
height < H. Therefore we consider the elements of A{S, N) in turn (we expect 
them to be few in number), and for each of them, we do the following. First we 
check whether there is an element Q in the corresponding coset of NJ{Q) such 
that h{Q) < H'. If this is not the case, we discard the element. Otherwise, there is 
only one such Q, and we check for some more primes p ^ S whether the image of Q 
in J(Fp) is in the image of C(¥p). Note that we can perform these tests quickly 
only based on the representation of Q as a linear combination of the generators 
of J(Q): we reduce the generators mod p and compute the reduction of Q as a 



THE MORDELL-WEIL SIEVE 



14 



linear combination of the reduced generators. Depending on H' , we can determine 
such a set of primes beforehand, with the property that a point Q G J(Q) with 
h{Q) < H' that 'survives' all these tests must be in t(C(Q)), see the lemma below. 
So if Q fails one of the tests, we discard it, otherwise we compute Q as an explicit 
point and find its preimage in C(Q) under l. 

Lemma 4.1. Let Pq £ C{Q) and write x{Po) = [a : b) with coprime integers a,b. 
Let pi,p2, ■ ■ ■ ,Pm be primes of good reduction such that 

P1P2 ■ ■■Pm > e^'+'^max{|a|, 

and such that Pq and its hyperelliptic conjugate Pq are distinct mod some pj^ if 
they are distinct in C (Q) . Here 'y is a bound for the difference h — h between naive 
and canonical height on J(Q). We take l : P ^ [P — Pq]- 

If Q ^ J{Q.) satisfies h{Q) < H' and is such that the reduction of Q mod pj is in 
6(C(FpJ) for all 1 < j < m, then Q e i(C(Q)). 

Proof. Let {ki : k2 '■ k^ : k^) be the image of Q on the Kummer surface of J, with 
coprime integers kj. If Q mod pj is on the image of the curve, then pj divides 
kib'^ — k2ab + ksa'^. This integer has absolute value at most e^'~^'^ max{|a|, so 
if it is divisible by pi, ■ ■ ■ ,Pm, it must be zero. This implies that Q = [P — Pq] or 
Q = [P — Pq] for some P G C(Q). If Pq 7^ Pq, these two cases can be distinguished 
modpjg. □ 

The test whether a given coset of NJ{Q) contains a point of canonical height < H' 
comes down to a 'closest vector' computation with respect to the lattice (A^J(Q), h). 
Depending on the efficiency of this operation, we can start eliminating elements 
from A{S,Nk) already at some earlier stage of the computation of A{S,N), thus 
reducing the effort needed for the subsequent stages of the procedure. 

If we want to reach a very large height bound, then we should at some point switch 
over to the variant of the sieving procedure described in Section 4.3 below. 

Of course, there is a simpler alternative, which is to enumerate all lattice points 
in {J{Q) / J{Q)toTs, h) of norm < H' and then checking all corresponding points 
in J(Q) whether they are in the image of l. (For this test, one conveniently uses 
reduction mod p again, for a suitable set of primes p.) Which of the two methods 
will be more efficient will depend on the curve in question and on the height 
bound H. If the curve is fixed, then we expect our Mordell-Weil sieve method 
to be more efficient than the short vectors enumeration when H gets large. The 
reason for this is that once S and N are sufficiently large, the set A{S, N) is 
expected to be uniformly small (most of its elements should come from rational 
points on C), and so the computation of A{S, N) for large will not take much 
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additional time. On the other hand, the number of vectors of norm < H' will 
grow like a power of if', and the enumeration will eventually become infeasible. 

4.3. Integral Points on Hyperelliptic Curves. What the preceding applica- 
tion really gives us is a lower bound H for the logarithmic height of any rational 
point that we do not know (and therefore believe does not exist). If we can pro- 
duce such a bound in the order of H = 10'^ with k in the range of several hundred, 
then we can combine this information with upper bounds for integral points that 
can be deduced using linear forms in logarithms and thus determine the set of 
integral points on a hyperelliptic curve: if C : = f{x) is a hyperelliptic curve 
over Q, then it is possible to compute an upper bound log |x| < H that holds for 
integral points (x, y) G C, where H is usually of a size like that mentioned above. 
See Sections 3-9 in [BMSST]. 

With the procedure we have described here, it is feasible to reach values of 
in the range of 10^°°, corresponding to if ~ 10^°°. However, this is usually not 
enough — the upper bounds provided by the methods described in [BMSST] are 
more like 10®°°. The part of the computation that dominates the running time 
is the computation of the image of C{¥p) in the abstract finite abelian group 
representing J(Fp). To close the gap, we therefore switch to a different sieving 
strategy that avoids having to compute all these roughly p discrete logarithms 
in J(¥p). We assume that we know a subgroup L C J(Q) (initially this is NJ{Q)) 
such that the image of C(Q) in J{Q)/L is given by rational points we already 
know on C. We then try to find a smaller subgroup L' with the same property. 
Let g be a prime of good reduction, and recall the notation (pg : J(Q) J{^q) 
for the reduction homomorphism. Let W C J(Q) be the image of the known 
rational points on C, let L' = L n ker (pg, and take R C J(Q) to be a complete 
set of representatives of the nontrivial cosets of L' in L. We can now check for 
each w G W and r & R whether (pg{w + r) ^ 6(C(Fg)). If this is the case, then 
W will also represent the image of C(Q) in J{Q)/L'. Note that this test does not 
require the computation of a discrete logarithm. We still need to find the discrete 
logarithms of the images under 0g of our generators of the Mordell-Weil group 
in order to find the kernel of (pg, but this is a small fixed number of discrete log 
computations for each q. 

The Weil conjectures tell us that i^C(¥g)/j^J(¥g) ^ 1/q when C has genus 2, 
so the chance that we are successful in replacing L with L' is in the range of 
(1 — This will be very small when (L : L') ■ is much larger 

than q. Therefore we try to pick q such that L/{L (1 ker0q) is nontrivial, but 
comparable with q in size. A necessary condition for this is that the part of the 
group order of the image of (pg that is coprime to the index of L in J(Q) is ^ q. 
Since it is much faster to compute # J(Fg) than it is to compute (pg and its image 
and kernel, we simply check #J(Fq) instead. When q passes this test, we do the 
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more involved computation of the group structure of J(Fg) and the images of the 
generators of J(Q) in the corresponding abstract group, so that we can find the 
kernel of 0g and check the condition on {L : L'). If q passes also this test, we 
check if we can replace L by L'. Of course, we can abort this computation (and 
declare failure) as soon as we find some w + r as above such that w + r maps into 
<-(C(Fg)). See Section 11 of [BMSST]. The idea for this second sieving stage is 
due to Samir Siksek. 

If is sufficiently large, then we will have a good chance of finding enough primes q 
that allow us to go to a subgroup of larger index. Also, once we have been 
successful with a number of primes, more primes might become available for future 
steps, since the index of L fl ker 0^ in L may have become smaller. 

In the two examples treated in [BMSST], this second stage of the sieving procedure 
was successful in reaching a subgroup of sufficiently large index (up to 10^^°°) to 
be able to conclude that any putative unknown integral point must be so large as 
to violate the upper bounds obtained earlier. 

4.4. Combination with Chabauty's method. Chabauty originally came up 
with his method in [C ii] in order to prove a special case of Mordell's Conjecture. 
More recently, it has been developed into a powerful tool that allows us in many 
cases to determine the set of rational points on a given curve, see for example [Co, 
Fll, St4, McCP]. We can combine it with the Mordell-Weil sieve idea to obtain a 
very efficient procedure to determine C(Q). Examples of Chabauty computations 
supported by sieving can be found in [BE, Br, PSS]. In these examples it is the 
Chabauty part that is the focus of the computation, and sieving has a helping 
role. This is in contrast to what we describe here, where sieving is at the core 
of the computation, and the Chabauty approach is just used to supply us with a 
'separating' number N such that C(Q) injects into J{Q)/NJ{Q). 

Chabauty's method is applicable when the rank of J(Q) is less than the genus 
g of C. In this case, for every prime p, there is a regular nonzero differential 
Up G Q{Cqp) that annihilates the Mordell-Weil group under the natural pairing 
J{Q.p) X ^(C'qp) — > Qp- If p is a prime of good reduction for C, then a suitable 
multiple of Up reduces mod p to a nonzero regular differential ujp G fl^Cr^). If 
P G C(¥p) is a point such that ujp does not vanish at P (and p > 3), then there is 
at most one rational point on C that reduces mod p to P. See for example [St4, 
§6]. 

On the other hand, if is divisible by the exponent of J(Fp), then the rational 
points on C mapping via l into a given coset of NJ{Q) in J(Q) will all reduce 
mod p to the same point in C{¥p). So if Up does not vanish at any point in C{¥p), 
then we know that each coset of NJ{Q) can contain the image under t of at most 
one point in C(Q). If there is no such point and we assume the Main Conjecture 
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of [St5], then we will be able to show using the Mordell-Weil sieve that no point 
of C(Q) maps to this coset. If there is a point, we will eventually find it. 

This leads to the following outhne of the procedure. 

1. Find a prime p > 3 of good reduction for C such that there is Up G VL{Cq^) 
annihilating J(Q) and such that uOp does not vanish on C{¥p). 

2. Find a suitable set S of primes and a number as described in Sections 3.1 
and 3.2 above, with the additional condition that the exponent of J(Fp) di- 
vides A^. 

3. Compute A{S, N) as described in Section 3.3 above. 

4. For each element a G A{S, N), verify that it comes from a rational point on C. 
To do this, we take the point of smallest canonical height in the coset of NJ{Q) 
given by a and check if it comes from a rational point on C. If it does, we record 
the point. 

5. If the previous step is unsuccessful, we enlarge S and/or increase and com- 
pute a new A{S, N) based on the unresolved members of the old A{S, N). We 
then continue with Step 4. 

We have implemented this procedure in MAGMA and used it on a large number 
of genus 2 curves with Jacobian of Mordell-Weil rank 1. It proved to be quite 
efficient: the computation usually takes less than two seconds and almost always 
less than five seconds. For this implementation, we assume that one rational point 
is already known and use it as a base-point for the embedding l. In practice, this 
is no essential restriction, as there seems to be a strong tendency for small points 
(which can be found easily) to exist on C if there are rational points at all. Of 
course, we also need to know a generator of the free part of J(Q), or at least a 
point of infinite order in J(Q). If we only have a point P of infinite order, we 
also have to check that the index of Z ■ P -|- J(Q)tors in J{Q.) is prime to N. If 
P is not a generator, then in Step 4, we could have the problem that the point 
we are looking for is not in the subgroup generated by P (mod torsion). In this 
case, the smallest representative of a is likely to look large, and we should first 
try to see if some multiple of a is small, so that it can be recognized. A version 
of this procedure is used by the Chabauty function provided by recent releases 
of MAGMA. 

As mentioned in the discussion above. Steps 4 and 5 will eventually be successful 
if the Main Conjecture of [St5] holds for C. There is, however, an additional 
assumption we have to make, and that is that Step 1 will always be successful. 
We state this conjecture. 

Conjecture 4.2. Let C/Q be a curve of genus g > 2 such that its Jacobian is 
simple over Q and such that the Mordell- Weil rank r is less than g. Then there are 
infinitely many primes p such that there exists a regular differential ujp G ^(Cqp) 
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annihilating J(Q) such that the reduction modp of (a suitable multiple of) Up does 
not vanish on C(¥p). 

Of course, this can easily be generalized to number fields in place of Q. 

We need to assume that the Jacobian is simple, since otherwise there can be 
a differential killing the Mordell-Weil group that comes from one of the simple 
factors. Such a differential can possibly vanish at a rational point on the curve, 
and then its reductions mod p will vanish at an Fp-point for all p. For example, 
when C is a curve of genus 2 that covers two elliptic curves, one of rank zero and 
one of rank 1, then the (essentially unique) differential killing the Mordell-Weil 
group will be the pull-back of the regular differential on one of the elliptic curves, 
hence will be a global object. Of course, in such a case, we can instead work 
with one of the simple factors that still satisfies the 'Chabauty condition' that its 
Mordell-Weil rank is less than its dimension. 

We give a heuristic argument that indicates that Conjecture 4.2 is plausible. We 
first prove a lemma. 

Lemma 4.3. Let C be a smooth projective curve of genus g > 2 over ¥p. The 
probability that a random nonzero regular differential u on C does not vanish 
on C{¥p) is at least I + 0{gp-^/^). 

Proof. First assume that C is not hyperelliptic. Then we can consider the canon- 
ical embedding C —>■ P^~^. We have to estimate the number n of hyperplane 
sections that do not meet the image of C{¥p). If g = 3, then C C is a smooth 
plane quartic curve, and the nonzero regular differentials correspond to Fp-defined 
lines in (up to scaling). Let ik {k = 0, 1, 2,4) be the number of such lines that 
contain exactly k points of C(Fp) (with multiplicity). We want to estimate io- In 
the following, we disregard lines that are tangent to C in an Fp-rational point; 
their number is 0{p) and so the result is unaffected by them. 

Fix a point P G C{¥p) and consider the {p+ 1) lines through P. Projection away 
from P gives a covering C — > P^ of degree 3, which can be Galois only for at most 
four choices of P (since a necessary condition is that five tangents at inflection 
points of C meet at P, and there are at most 24 such tangents). These potential 
exceptions do not affect our estimate. For the other points, the covering has Galois 
group 5*3, and by results in [MS], we have, denoting by ik,p the number of lines 
through P meeting C(Fp) in exactly k points: 



^i,p = | + 0(v/^), V 



| + 0(v/^) and V 



P 
6 
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We obtain 

p 

p 

p 

io=p'+P + l-{ii + i2 + h) = Ip' + 0{p^/^) , 

o 

which shows that the probabihty here is | + 0(p^^/^). 

Now let g > 4 (still assuming that C is not hyperelliptic). Let denote the 
number of triples of distinct points in C{¥p) that are coUinear in the canonical 
embedding. By the inclusion-exclusion principle, we have for the number n of 
hyperplane sections missing C{¥p) 



A collinear triple is part of a one-dimensional linear system of degree 3 on C. 
It is known that there are at most two such linear systems when g = 4 (see, 
e.g., [n. Example IV.5.5.2]) and at most one when g > 5 (see, e.g., [Sh, Exam- 
ple 1.3.4.3]). This implies that < 2{p + 1), and therefore that has no effect 
on the estimate below. Since jj^C{¥p) = p + 0{gp^^'^), we find that 

> 1 - 1 + ^ - ^ + 0{gp-'/') = 1 + 0{gp-'/') . 



#P9-i(Fp) - 2 6 '^"^ ' 3 

If C is hyperelliptic, the problem is equivalent to the question, how likely is it for 
a random homogeneous polynomial of degree g — 1 in two variables not to vanish 
on the image X of C(Fp) in P^(Fp) under the hyperelliptic quotient map C ^ P^? 
The number n in this case can be estimated by 

n>#pf-i(Fp)-#X#P5-2(Fp) 

Since the size of X is p/2 + 0{gp^^'^), we obtain here even 

^ >l-l + 0{gp-'/') = l- + 0{gp-'/'). 



#P9-i(Fp) - 2 '^"^ ' 2 

□ 
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We expect that arguments similar to that used in the non-hyperelhptic genus 3 
case can show that the probabihty in question is 

29-2 .^xfc 

«9 + 0,(p-'/') With ag=Y,-^-^~^ 

k=0 

in the non-hyperelhptic case. In the hyperelliptic case, the corresponding proba- 
bility 

f3, + 0,{p-^/^) with /3. = X:^-e-V2 

A:=0 

is obtained by an obvious extension of the argument used in the proof above. 

We now consider a curve C/Q as in Conjecture 4.2, with r = g — 1. It seems 
reasonable to assume that the reduction ujp of the unique (up to scaling) differential 
ujp annihilating J(Q) behaves like a random element of Q^{C/¥p) as p varies. By 
Lemma 4.3, we would then expect even a set of primes p of positive density > 1/3 
such that Up does not vanish on C(¥p). 

When r < g — 2, the situation should be much better. We have at least a pencil of 
differentials, giving rise to a linear system of degree 2g — 2 and positive dimension 
on the curve over ¥p. Unless this linear system has a base-point in C{¥p), effective 
versions of the Chebotarev density theorem as in [MS] show that there is a divisor 
in the system whose support does not contain rational points, at least when p 
is sufficiently large. However, we still have to exclude the possibility that the 
relevant linear system has a base-point in C{¥p) for (almost) every p. 

If we mimick the set-up of Lemma 4.3 in the situation when g — r = d > 2, 
then we have to look at the Grassmannian of (r — l)-dimensional linear subspaces 
in P^"^: there is a d-dimensional linear space of differentials killing J(Q), and the 
intersection of the corresponding hyperplanes in P9~^ is an (r — l)-dimensional 
(projective) linear subspace. The set of such subspaces through a given point 
corresponds via projection away from this point to Gr(P''~^ C P^~^), so by the 
simplest case of the inclusion-exclusion inequality, we have for the number n of 
base-point free subspaces: 

n > # Gr(P'^-^ C P^"^) - #C(Fp) # Gr(P'-2 c P^^^) , 

and therefore a 'density' of 



#Gr(P'-i C ¥9-^) - " ^ P' #Gr(P'^-i C P^' 

When d = 2, one is thus led to expect an infinite but very sparse set of primes 
such that there is a base-point (since X^p"^ diverges), whereas for d > 2, one 
would expect only finitely many such primes. 
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If we modify the algorithm in such a way that it considers (arbitrarily) 'deep' 
information at p, then the requirement can be weakened to the following. 

Conjecture 4.4. Let C/Q be a curve of genus g > 2 such that its Jacobian is 
simple and has Mordell-Weil rank r < g. Then there is a prime p > 3 such that 
there exists a regular nonzero differential ujp G Q{Cqp) annihilating J(Q) such that 
Up does not vanish on C(Q). 

Heuristically, the probability that Up does vanish at a rational point should be zero 
(except when there is a good reason for it, see above), which lets us hope that 
the weaker conjecture may be amenable to proof. In fact, Tzanko Matev (a PhD 
student of Michael Stoll) has recently established a p-adic version of the 'analytic 
subgroup theorem' for abelian varieties (see [BW] for the background). It states 
that when J is absolutely simple, then the p-adic logarithm of an algebraic point 
on J cannot be contained in a proper subspace of the tangent space Tq J(Qp) that is 
generated by algebraic vectors. This implies that the statement of Conjecture 4.4 
is true for every p when the Mordell-Weil rank is 1 . 

5. Information at bad primes 

This and the following section discuss how to extract the information that the 
Mordell-Weil sieve needs as input in the specific case that C is a curve of genus 2 
over Q (or a more general number field) and we are not just interested in C{¥p) 
and J(Fp) for a prime p of good reduction. 

In particular when the rank is large, which in practice means r > 3, it becomes 
important to use sufficient 'local' information to keep the sizes of the sets A{S, Nj) 
reasonably small. A valuable source of such information is given by primes of bad 
reduction, as the group orders of suitable quotients of J(Qp) tend to be rather 
smooth. More precisely, we would like to make use of the top layers of the filtration 
given by the well-known exact sequences 

J°(Qp) — ^ J(Qp) ^ %i¥p) 

and 

J\Qp) ^ J%Qp) J{¥p) . 
Here $p is the component group of the special fiber of the Neron model of J 
over Zp and J is the connected component of the special fiber (and J^(Qp) is the 
kernel of reduction). 

In this section, we describe how this information can be obtained when C is a 
genus 2 curve, p is odd, and the given model of C is regular at p. Here and in the 
following, we will use J^(Qp), and later J"(Qp), to denote the kernel of reduction 
and the 'higher' kernels of reduction with respect to the given model of the curve. 
If the model is not minimal in a suitable sense, then our kernel of reduction will be 
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strictly contained in the kernel of reduction with respect to a Neron model. To be 
precise, for us, J^(Qp) denotes the subgroup of points in J(Qp) whose reduction 
mod p on the projective model in P^^ given as described in [CI; , Ch. 2] is the 
origin; see below. Of course, this then changes the meaning of the quotients in 
the sequences above. 

But first, we will establish some general facts. Let A; be a field with ch.a.T{k) ^ 2, 
and let 

F{X, Z) = ux^ + /sX^Z + f^X^Z^ + hX^Z^ + hx^z^ + hXZ'> + hZ^ 

be a homogeneous polynomial of degree 6 with coefficients in k. We do not assume 
that F is squarefree or even that F 7^ 0. 

Definition 5.1. 

(1) Let Cf be the curve given by the equation 

y2 = F(X, Z) 

in the weighted projective plane with weights (1, 3, 1) for the coordinates 
X, F, Z, respectively. 

(2) Denote by Jp the scheme in P^,^ that is defined by the 72 quadrics described 
in [C'L", Ch. 2] (see [F13, jacobian. variety/defining. equations] for explicit 
equations). 

(3) Let Kp be the surface in P^ that is defined by the Kummer surface equa- 
tion as given in [ , Ch. 3], and denote hy dp = 5 = (5i,...,54) the 
polynomials giving the duplication map on the Kummer surface, see [F13, 
kummer / duplication] . 

If (5(-P) 7^ 0, then we write P(5(P) G P'^ for the point with projective 
coordinates (5i(-P) : . . . : 54 (P)). 

(4) Let Dp C X X A| be the scheme of triples (A, P, C) such that A^Q 
and 

F(X, Z) = A{X, Z)C{X, Z) + P(X, Z f , 
where we set for A = (oq, Oi, 02), B = {bo, . . . , 63) and C = (cq, ...,04) 
A{X, Z) = asX^ + aiXZ + aoZ^ , 
B{X, Z) = hX^ + b2X^Z + biXZ^ + boZ^ , 

C(X, Z) = C4X^ + CgX^Z + C2X^Z^ + CiXZ^ + CqZ^ . 

Let Dp C Fix Al be the image of Dp under the projection to the first two 
factors, followed by the canonical map A^ \ {0} ^ P2 on the first factor. 

When F is squarefree, then Cp is a. smooth curve of genus 2, Jp is its Jacobian, 
and Kp is the associated Kummer surface. The scheme Dp then gives the possible 



THE MORDELL-WEIL SIEVE 



23 



Mumford representations of effective divisors of degree 2 on Cj?; it therefore maps 
onto Jf\{0}. We will extend these relations to our more general setting. 

The 'origin' O = (1 : : . . . : 0) is always a (smooth) point on Jp. The 16 
coordinates on Jp split into 10 'even' and 6 'odd' ones; the even coordinates 
are given (up to a simple invcrtiblc linear transformation) by the monomials of 

degree 2 in the coordinates on Kp. 

Let us first look at the relation between Jp and Kp- 

Lemma 5.2. Projection to the ten even coordinates gives rise to a morphism 
K : Jp Kp, which is a double cover. 



Proof. The monomials of degree 2 in the odd coordinates can be expressed as 
quadratic forms in the even coordinates. So if all the even coordinates vanish, the 

odd coordinates have to vanish, too. Therefore projection to the spanned by 
the even coordinates is a morphism. The relations between the even coordinates 
are exactly those coming from the fact that the even coordinates come from the 
monomials of degree 2 in the coordinates of the containing Kp, together with 
the quadratic relation coming from the quartic equation defining Kp. Therefore 
the image of Jp in P^ is the image of Kp under the 2-uple embedding of P"^ into P^ 
and therefore isomorphic to Kp. This gives the morphism k. The fact stated in 
the first sentence of this proof then implies that k is a (ramified) double cover. □ 

Now let us consider the relation between Dp, Dp and Jp. 
Lemma 5.3. There is a morphism 

4>:Dp^Jp\ {0} 

that specializes to the representation of points on Jp mentioned above when F is 
squarefree. The morphism (f) is surjective on k-points and makes the following 
diagram commute: 

Dp — ^Jp\{0} pr': Kp — > P^ 

\ ^ {xi : X2 : xs : X4) 1 — ^ {xs : —Xi : Xi) 

\Kp\{k{0)} Wi- P'xA^ P2 
P""! \ ((ao : ai : 02), B) 1 — > (ao : oi : 02) 

\ pr' 

p2 



Furthermore, (f){A, B) = (t){A , B') if and only if A = A' andB{X, Z) = B'{X, Z) mod 
A{X,Z). 
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Proof. Let {A, B) E Dp. Then can be given as 
(f){A, 5) =(*:*:*:*: * : * 

-62^0 + bi(io(^i — boiaj — ao«2) : ^s^o ~ ^i«o«2 + &oai«2 
-630001 + 620002 — 6002 : 63 (a^ — 0002) — 620102 + 6ia2 
: — OoOi : ao02 : —0102 : : a1 — 4ao02) . 

One can check using the defining equations of Jp given at [ ] that the first six 
coordinates are uniquely determined by the last ten when the last six are not all 
zero. It is also possible to write down expressions for the first six coordinates in 
terms of A, B and C, where (A, 5, C) is the point on Dp mapping to (A, B). The 
image of the point above under n has the form ( 

02 • — Oi : do • 

*), which shows 

that pr' o/t o = prj^. It remains to show that is surjective on fc-points. Let 
P e Jp{k) \ {O}, then A = pt'{k{P)) G P^(/c) is defined. Consider the middle four 
coordinates on J (n— 7 through 10). The expression for (f){A, B) given above gives 
rise to a system of linear equations for B. The last six of the equations defining Jp 
ensure that the system has a solution B G A^(A;). Then (j){A, B) agrees with P in 
the last ten coordinates; therefore we must have (f){A, B) = P. 

To show the last statement, note first that (j){A,B) = (f){A',B') implies A = A' 
(apply pr' ok). The kernel of the matrix giving the linear equations determining B 
is spanned by the coefficient tuples of ZA{X, Z) and XA{X, Z). This shows that 
(j){A, B) = (PIa, B') ^ A{X,Z) \ B{X,Z) - B'{X,Z). □ 

By the above, the fibers of the map (/) : Dp ^ Jp\{0} are isomorphic to A^. We 
can remove this ambiguity at the cost of restricting to a subscheme. 

Lemma 5.4. Let 

Uo = {{A, B)eDp:ao = 1, 60 = 61 = 0} , 

Ui = {{A, B)eDp:ai = 1, ao02 ^ 1, 61 = 62 = 0} , 

f/2 = {(AB) eDp:a2 = l,b2 = h = 0}. 

Then (plu^ is an isomorphism onto its image for each j G {0, 1, 2}, and 

0(f/o)U0(f/i)U0(f/2) = Ji.\{0}. 

Proof. In each case, the linear system giving 60,..., 63 in terms of the middle 
four coordinates on Jp, together with the conditions bj = bj^i = has a unique 
solution, giving the inverse morphism (f){Uj) —>■ Uj. The last statement then 
follows, since the images of the Uj in cover P^. □ 



Now we can describe the smooth locus of Jp. 
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Proposition 5.5. The origin O is always a smooth point on Jp- If P G Jf\{0}, 
write P = (j){A,B) with {A,B) G Dp. Then P is a singular point on Jp if and 
only if 

(1) A(X, Z) has a simple root (in at a multiple root of F, or 

(2) A{X, Z) = cL{X, Zy has a double root at a multiple root of F and L[X, Z)^ 
divides F{X, Z) - B{X, Zf. 

Note that the last condition means that the curve Y = B{X, Z) is tangential to a 
branch of Cp at the singular point L{X, Z) = Y = 0. 

Proof. The statement that O G Jf is smooth is easily checked using the ex- 
plicit equations. The general statement is geometric, so we can assume k to 
be algebraically closed. Then there is a transformation a G GL2{k) such that 
A'^{X, Z) = XZ or X^. In the first case, we can take Q G f/i, and we easily check 
that Q is singular on Ui if and only if /q = /i = or /g = /s = 0, which means 
that F has a multiple root at one of the two simple roots of A{X, Z), namely 
or oo. In the second case, we can take Q G U2, and we find that Q is singular on U2 
if and only if /o = /i = /2 — &i = 0, which means that F has a multiple root at the 
double root of A{X, Z) and that = L(X, Zf divides Z) - B{X, Zf. 
Since is an isomorphism on f/j , P is singular on Jp if and only if Q is singular 
on Uj. □ 

Definition 5.6. We denote by D'p the locus of points Q & Dp such that 0(Q) is 
a smooth point on Jp, and we write J'p for the subscheme of smooth points on Jp. 

According to Prop. 5.5 above, the complement of Dp m Dp consists of the points 
(A, B) satisfying one of the conditions in the proposition. 

Lemma 5.7. Assume that k is algebraically closed. Then Jp is reduced and irre- 
ducible except in the following two cases. 

(1) F = 0. Then Jp has two irreducible components. One is 0(P^ x {0}) and 
is not reduced, the other contains O, and its remaining points are of the 
form (j){A, B) such that there is a linear form L with A{X, Z) = cL{X, Zf 
andL{X,Z) \ B{X,Z). 

(2) F = H{X, zf is a nonzero square. Then Jp has three irreducible compo- 
nents, all of which are reduced. Two of them are given by 0(P^ x {±H}), 
the third contains the origin O. 

Proof. It is easy to check the claim in the two special cases. In all other cases, Cp 

(2) 

is reduced and irreducible. Consider the symmetric square C;'. Let S cCphe 
the (finite) set of singular points (given by the mutiple roots of F) . Identify S 
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with its image in Cp under the diagonal map. There is a morphism 

ij:Cf\S ^ Jf 

that can be defined using the expressions for the coordinates on the Jacobian given 
in [CF, Ch. 2]. Its image is 

Jf \ {(j){A, B) : A{X, Z) = cL{X, Zf, L{P) = for some P e S} , 

(2) 

which is dense in Jf- Since Cp is irreducible, this implies that Jf is irreducible 
as well. The component containing the origin is always reduced, since the origin 
is a smooth point. □ 

Remark 5.8. If k is not algebraically closed, then there is the additional case 
F = cH{X, Z)"^ with H and a non-square c E k. According to Lemma 5.7, Jf 
has three geometric components. One is defined over k and contains the origin, 
the other two are conjugate over k{^/c) and do not have any smooth A;-points. 

If we apply the argument used in the proof above in the case F = ^ 0, then 
Cf has two components, therefore Cp has three, and we see again that Jf has 
three (reduced) irreducible components. 

From the description given in the proof, we see that i\} extends to a morphism 

^ : Bl'^ cf — > Jf • 

Here Bl'^ Cf is obtained from Cf by replacing each point in by a in such 

a way that locally near a point in S*, Bl'^. cf is the closure of the graph of the 
rational map giving the slope (in a suitable affine chart) of the line connecting the 
two points in the divisor corresponding to a point in Cf. Let vr : — > be 
the canonical map, and denote by vr* the induced map pi cf. Then ^ IS an 
isomorphism away from 7r*(P^) and contracts 7r*(P^) to the origin O G Jf- We 
therefore have an isomorphism 

BI5 cf ^ Bio Jf - 

(2) 

This generalizes the standard fact that Cp = Bio Jf if Cf is smooth. 

Definition 5.9. We denote by Jp the component of the smooth part J'p of Jf 
that contains the origin O- We write Kp for the open subscheme of Kf on which 
5 7^ 0. Let Bf denote the matrix of biquadratic forms as defined in [CF, Ch. 3]; 
see [F13, kummer/biquadratic. forms] for explicit expressions. 

Proposition 5.10. We have h{Jf) = Kp. Equivalently, a point P G Jf is smooth 
and on the component of the origin if and only if 6{k{P)) 7^ 0. 

Proof. We can again assume that k is algebraically closed and that pr'(K(P)) is one 
of (0 : 1 : 0) or (1 : : 0). (O is always smooth, and S^^k^O)) 7^ 0.) We represent 
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P as 0(Q) with g = ((0 : 1 : 0), (6o, 0, 0, 63)) or Q = ((1 : : 0), (60, &i, 0, 0)), 
respectively. Then we can use the description of singular points given in Prop. 5.5 
and the description of the components of Jp given in Lemma 5.7. Writing down the 
polynomials Sj evaluated at K,{(j){Q)), we conclude after some fairly straightforward 
manipulations that in the first case, 5 = if and only if /o = /i = or /e = /s = 0, 
or there are h, 62 such that F = (fogX^ + fegX^Z + b^XZ"^ + boZ^f. The first two 
conditions mean as before that there is a singularity at or 00, and the third says 
that P is not on the right component. In the second case, we find in a similar way 
that 5 = if and only if | F and \ F - {biXZ^ + b^Z^f, or F is a square 
and does not vanish at 0. The first condition means that P is not smooth, the 
second says again that P is not on the right component. □ 

This result is due (with a different proof) to Jan Steffen Miiller, a PhD student of 
one of us (StoU). 

Now we can state and prove the main result of this section. 

Theorem 5.11. The scheme Jp is a commutative algebraic group in a natural 
way. If we represent its nonzero elements by pairs {A,B) G D^{F), then compo- 
sition in the group can be performed by Cantor composition and reduction [Ca], 
except when both polynomials A{X,Z) vanish at the same singular point of Cp. 
Without loss of generality, this point is at X = 0; then we have 

^{x\ \xz^) + <p{x\ fixz^) = Jx\ ^±^xzA 

V A + yU / 

where F{X, Z) = /aX^Z^ + f^X^Z^ + ■■■ + f^Z^. // A + /i = 0, the result is the 
zero element in Jp. 

Proof. Let O he a complete discrete valuation ring with uniformizer tt, residue 
field k and field of fractions L. We can then find a homogeneous polynomial 
F e 0[X, Z] of degree six that is squarefree and whose reduction mod vr is F. We 
denote reduction mod vr by a bar. Let G = Jp{L), = {P E G : P E Jp{k)}, 
and G^ = {P e G : P = O e Jpik)}. Then for P G G° and Q G G\ we have 
P + Q = P. To see this, note that the images of P ± Q under k, are given by 
Bp{P,Q). Since Bp{P,Q) = Bp{P,Q) ~ P^ P (abusing notation by letting P 
denote a vector of projective coordinates for P), we must have k{P ± Q) = k{P). 
This implies that P + Q = P or —P. The function Q \—>- P + Q cannot take 
exactly two distinct values on the residue class of O, so we must have P + Q = P. 

This implies that G^ is a subgroup of G, that G^ acts on and that (at least as 
sets) G^ /G^ = Jp{k). By a similar argument, we see that (j° is also a subgroup 
of G (if P,Q e G°, then by Pro p. 3.1 of [ ], Bp{P,Q) ^ 0, which implies by 
Lemma 3.2 of [St.3] that P ± Q G Jp{k)). This already shows that Jp{k) has a 
group structure (and the same is true for Jp{i) for every field extension £ of k). 
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To see that the group law on Jp is given by Cantor's algorithm, we can lift two 
given elements to G*^ in such a way that we stay in the same case in the algorithm, 
then apply the algorithm over L (in fact, over O) and reduce mod vr. This works 
unless we are in the special case mentioned in the statement of the proposition. 
The formula in this case can be obtained by a suitable limit argument. This then 
also shows that Jp is an algebraic group. □ 

The upshot of this result is that we can do computations in the group Jp{k), much 
in the same way as we compute in the Jacobian of when is smooth. 

Remark 5.12. If A; = Fg and q is odd, one can work out the order of the group 
Jp{k), depending on the factorization of F. This leads to the table in Figure 1. 
The subscripts give the degrees of the factors, which are assumed to be irreducible 
if they occur with multiplicity > 1, and to be pairwise coprime. E is the genus 1 
curve y"^ = h^i^x, 1) or y"^ = h^{x, 1). 'sq(c)' means that c is a square in . 

liF = is a nonzero square, then by Lemma 5.7 Jp splits into three components, 
the two components not containing O being given by </)(P^ x {±if}). We denote 
their intersection with J'p by Jp. In a similar way as above for the group structure 
of Jp, we obtain well-defined maps 

Jp ^ Jp ^ Jp J J p ^ J p J p ) and Jp X Jp > J p 

that are compatible with the group structure of Jp and show that Jp and Jp are 
principal homogeneous spaces under Jp. Therefore the number of smooth points 
in Jp{k) is three times the cardinality of Jp{k). On the other hand, our addition 
is not defined on Jp x Jp or Jp x Jp. (In this case, the B polynomial one obtains 
in Cantor's algorithm vanishes along one of the components of C^, and we get an 
undefined A.) 



As in the proof of Thm. 5.11, we now consider the situation that O is a complete 
discrete valuation ring with uniformizer vr, residue field k such that char(A;) 7^ 2 
and field of fractions L. We denote hj v : % the normalized valuation. 

Let F G Z] be homogeneous of degree 6 and squarefree. The 72 quadrics 

defining Jp have coefficients in 0\ we obtain a fiat scheme over Spec(O). We 
abuse notation slightly and set 

jO (L) = {P G Jp{L) ■ P e 4(fc)} and 4(L) = {P G Jp{L) : P = 0} . 

We will call Jp{L) the kernel of reduction. The reader should be warned that this 
notion depends on the given model of the curve and need not coincide with the 
kernel of reduction defined in terms of a Neron model of the Jacobian. 

Lemma 5.13. Consider {A, B) G Dp{L) with A{X, Z) = X'^ + aiXZ + qqZ^ and 
B{X, Z) = hXZ^ + boZ\ 
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factorization 
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order otherwise 
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leading coeff. 
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q' 




g\hi 






cgl 


leading coeff. 


q' 





Figure 1. Group orders #J^(Fq). 



(1) If aQ.ai G 69 Q'^c^ ^1 s'^e '^o^ both integral, then P — (l){A,B) is in 
the kernel of reduction. 

(2) Now assume that Oq, Oi, and bi are integral. If ti divides /o, /i and a^, 
but TT^ does not divide fo, then tt also divides ai and bo, but does not divide 
h-b\. 

Proof. 

(1) We work in the affine chart (X : Z) = {x : 1). Reducing F{x, 1) modulo 
A{x^ 1) = a;^ + aix + ag, wc obtain a relation = aiX + that holds for 
the points in the divisor described by the pair of polynomials (A, B). Since 
the coefficients of F and ao, oi are integral, the same holds for ao and cti. 
If we square the relation y — B{x, 1) and reduce it mod A{x, 1), we obtain 

61(260 - ftiOi) = ai , bl-bjao^ao. 

The second relation shows that ^(60) < ^(^i) is impossible, so we must have 
v{bi) < 0. Eliminating bo from the two equations above gives (a^ — 4ao)6f € 
O, so the discriminant of A{x,l) must be divisible by vr^. Therefore the two 
points in the divisor reduce mod n to points with the same x-coordinate. 
If these points were not opposite, then y = B{x, 1) would reduce to the 
equation of the (non-vertical) tangent line at the point on Cpik) that 
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both points reduce to, so 60 and 61 would be integral, contradicting the 
assumptions. So the divisor reduces to the sum of two opposite points, 
hence P reduces mod vr to the origin. 
(2) We know that + aix + divides F{x, 1) — {bix + 6o)^- Write /o = tt/q, 
/i = 71 f[, ao = TTttQ. From 



The first of these implies that bo = 7r6g for some 6q G O. Since /q is not 
divisible by vr (by assumption), we then also see that vr f OgCo. The second 
equation then shows that vr divides ai, and then the third equation tells 
us that /2 — fof = Co ^ mod vr. 



This allows us to get a description of the reductions of points not in the kernel of 
reduction when the curve is regular. 

Corollary 5.14. Assume that Cp/O as above is regular. Let P G Jf{L) \ Jp{L). 
If P = (f){A,B) with A{X,Z) G 0[X,Z] primitive, then after adding a suitable 
multiple of A{X,Z), B{X,Z) has coefficients in O, and the reduction (^, -B) of 
(A, S) mod 71 is in D'p{k), hence P is a smooth point on Jp. In particular, if F 
is not a square, then Jf{L) = Jp{L). 

Proof. First assume that the coefficient of in A{X, Z) is a unit. Then we can 
take A{x,l) to be monic and B{x,l) to be of degree at most 1. The integrality 
of B is given by Lemma 5.13, (1). If A vanishes at a singularity of Cp, then by 
a suitable shift, we can assume that the singularity is at x = (we may have to 
extend the field for that; note that the shift will be by an integral element). We 
then have that vr divides /o, /i and oq, which by Lemma 5.13, (2), implies that vr 
also divides ai and b^ (vr^ f /o because of the regularity assumption). This shows 
that A has a double root at the singularity (and hence, that no field extension 
was necessary) and that B = XX Z^. We also know from the lemma that 7^ /2, 
which means exactly that the slope of the line described by b does not coincide 
with the slope of a branch of the curve at the singularity. Hence {A, B) G D'p{k). 
This implies that P G J'p. If F is not a square, then J'p{k) = Jp{k), and the last 
claim follows. 




we get 



nf[ - 2bobi 
h-bl 



Co + fliCi + 7raoC2 



□ 
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The case when the coefficient of in A{X, Z) is not a unit can be reduced to 
the general case discussed above by a suitable change of coordinates. □ 

Corollary 5.15. Assume that Cp/O is regular and that F is not a square. Then 
the following sequence is exact. 

4(L) ML) ^ 4{k) . 

Proof. By Cor. 5.14, we know that Jp{L) = Jp{L), and by the proof of Thm. 5.11, 
we know that reduction mod vr gives a group homomorphism Jp{L) —>■ Jp{k) with 
kernel Jp{L). This homomorphism is surjective because of Hensel's Lemma (recall 
that the points in Jp{k) are smooth). □ 

Remark 5.16. When Cp/O is regular, then the scheme obtained from Jp/O by 
removing the singular points in the special fiber Jp/k is the Neron model of JpjL^ 
and J^jk is the connected component of the identity on the special fiber. 

If Cp/O is not regular, then the smooth part of Jp/O still maps to the Neron 
model (by the universal property of the latter), but the image of J|, in the special 
fiber of the Neron model can be trivial or a one- dimensional subgroup. 

We now consider a genus 2 curve C = Cp over Qp given by a Weierstrass equation 
Y"^ = F{X, Z) over Zp. We will drop the subscript F in the following. By 
the above, we have (Qp) / (Qp) = J|(Fp), and the map is given by reducing 
the standard representation modulo p (on elements that are not in the kernel of 
reduction). 

This gives us a handle on the quotient J{Qp)/ J^{Qp) when p is odd, the model is 
regular and the special fiber of C has just one component, cf. Cor. 5.15. 

Since we have now established that we can use Cantor reduction on Jp(¥p) in 
the same way as in the good reduction case, we can proceed and find the image 
6(C(Fp)) C Jpi^p) in the same way as described in Section 3.1. 

Otherwise, that is, when p = 2, the model is not regular, or the special fiber 
has several components, we first need to find J°(Qp), or rather (for our purposes) 
J(Q) n t/°(Qp). We can do this by an enumerative process. 

In the following, A is a finitely generated free abelian group, t is a test that 
determines whether a given element of A is in the subgroup. In our application, 
A = J(Q), and t tests whether a point P is in J^{Qp). According to Prop. 5.10, 
we can use 

t(P) ^ Vp{5{KiP))) = AvpiniP)) 

(with the same choice of projective coordinates for k{P) on both sides), or in the 
notation of [St3], t{P) ^ tp{P) = 0. 
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GetSubgroup(y4, t): 

(7 := / / g will contain the generators of the subgroup 
A' := {0} G A 11 known part of quotient group 
for h G Generators(y4): 

/ / find smallest multiple of h such that A' + b meets the subgroup 

J := 1; b' := b 

while -i3a G A' : t{b' + a): 

j ■= j + 1; b' ■= b' + b 
end while 

/ / note new subgroup generator 
g := g U {b' + a}, where a G A' satisfies t{b' + a) 
1 1 extend A! to get a set of representatives of the image of the group 
/ / generated by the first few generators of A in the quotient 
A' := {a + i-6 : 2 G {0, - l},a G A'} 
end for 

return {g) j j a. subgroup of A 



This allows us to find J(Q)n J°(Qp) and hence the image of J(Q) in J(Qp)/J°(Qp). 
It remains to determine the image of C(Qp) in this group. It is, however, better 
to find the image of C(Qp) in J(Qp)/J"'^(Qp) directly, or rather, to find the subset 
of J(Q)/(J(Q) n J^Qp)) that is in the image of C(Qp). For this we use the map 
to the dual Kummer surface described below in Section 6: for a representative 
P G J(Q) of each element of J(Q)/(J(Q) n J^Qp)), we check if its image on the 
dual Kummer surface satisfies \ ri4 and p \ rjii]^ — r/g- 

The reason for working mod J^{Qp) and not mod J°(Qp) (which might be more 
efficient) is that there does not seem to be a simple criterion that tells us whether 
we are in t(C(Qp)) + J°(Qp). 

6. 'Deep' information 

In this section, we work with genus 2 curves over Q for simplicity. Everything can 
easily be generalized to genus 2 curves over arbitrary number fields. 

Especially for small primes p, we can hope to gain valuable information by not 
just looking at J(Fp) or, more generally, J (Qp) / (Qp) , but also into the kernel of 
reduction to some depth. If J"'(Qp) (for n > 1) denotes the 'nth kernel of reduc- 
tion', i.e., the subgroup of elements that consists of the p"Zp-points of the formal 
group, then we would like to determine (the image of J(Q) in) J(Qp)/J"(Qp) and 
the image of C{Qp) in this group. 
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The first step is to find J(Q) fl J"(Qp). This can be done with the help of the 
p-adic logarithm on the Jacobian. The power series of the formal logarithm up 
to terms of degree 7 can be found on Victor Flynn's website [ i \ local/log]. If 
higher precision is needed, we perform a p-adic numerical integration, as follows. 
We can represent a given point in the kernel of reduction in the form [Pi — P2], 
where Pi and P2 are points on the curve that reduce mod p to the same point. 
Assuming for simplicity that the points have p-adically integral coordinates and 
do not reduce to a Weierstrass point, we write Pi = + 5, r^i), P2 = — ^,112)- 
We then write the differentials ujq = dx/2y and ui = x dx/2y as a power series in 
terms of the uniformizer t = x — ^, times dt, and integrate this numerically from 
t = —6 up to t = 6, to the desired precision (note that 6 has positive valuation). 
Alternatively, we can use that on the Kummer surface, we have 

. P = (A2p2n + 0(p3n) . 2AiA2P^" + 0(p=^") : + 0(p3") ; l) 

where (Ai,A2) is the logarithm of P. So to compute the logarithm up to 0(p"'), 
we multiply the point by on the Kummer surface to find the logarithm up to 
a sign. (If p = 2, we need a few more bits of precision here.) We then fix the sign 
by comparing with the first-order approximation we obtain from the functions A 
and fi on the Jacobian, in the notation of [ , § 2] . 

Given that we are able to compute the logarithm 

log : j\Qp) ^ (pZp)2 

to any desired accuracy, we compute the finite-index subgroup Kn = ^(Q)n J"(Qp) 
of J(Q) as follows. We assume that Ki is already given. We can therefore set up 
the group homomorphism 




then Kn is just its kernel. 

The second and more time-consuming step is to find the image of C(Qp) in 
J (Qp) / (Qp) ■ We assume again that the 'flat' information (i.e., the image of 
C{Qp) in J(Qp)/ J^(Qp)) is already known. For each point in the intersection of 
the images of C(Qp) and of J(Q) inside J{Qp)/ J^{Qp), we then have to find all 
its 'liftings' to elements in the intersection of the images of C{Qp) and of J(Q) in 

J(Qp)/J"(Qp). 

One approach would be to take some lifting Pq in C(Qp), add representatives 
of J{Qp)/ J"'{Qp) to it and see which lie sufficiently close to C. One practical 
problem lies in the word 'add'. By [C'F, Ch. 2,3], the Jacobian can be embedded 
into P^^, and the sum P + Q can be expressed in terms of biquadratic forms in 
the coordinates of P and Q. For a given curve C, these forms can be determined 
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using interpolation, but they can have several thousand terms, so any subsequent 
computations based on them will be rather slow. 

The usual method of adding points on J, following [C'a], essentially uses some 
affine part of the Jacobian. Problems with denominators make it not well-suited 
for p-adic fixed precision calculations. 

We instead propose to use the Kummer surface and its dual (see [CF, Ch. 4]). The 
hyperelliptic involution on C induces an involution on the principal homogeneous 
space PicJ; of J, and the quotient of Pic^ by this involution is again a quartic 
surface in P^. An explicit equation is given by 



2/0^74 fm vi V2 

fm 2/2?74 - 2r]i f3r]i - r]2 1]^ 

Vi fsm - m 2/4774 - 2r]3 f^rji 

V2 V3 fbVi 2/6774 



0, 



see [CF, p. 33]. This model has the property that the natural image of C C PicJ; 
is given by 774 = 0. Furthermore, if P G Pic J; maps to (7/1 : 772 : 773 : 7/4) on the dual 
Kummer surface and Q E J maps to (^1 : ^2 : ^3 : ^4) on the Kummer surface, 
then P E C ± Q if and only if ^i7/i + ^2^72 + ^3^3 + ^4^4 = 0. We will denote the 
Kummer surface by /C and the dual Kummer surface by /C*. 

The group law on J leaves its traces on /C. Suppose that Q,R G J. Write 
y = (^i(Q); • • • ; ^4(Q)) and z = . . . , ^4(i?)) for projective coordinates of 

their images on /C. Following [CI- , Ch. 3], there is a matrix of biquadratic forms 
B{y,z) = (Bij) such that 

25., = UQ + RMQ -R) + UQ- RMQ + R) ■ 

The action of J on PicJ; can be similarly described on /C*. Suppose that Q E J 
and P E PicJ; and that x = r]{P) and y = ^{Q) are projective coordinates for 
their images on /C* and on JC, respectively. There is now a symmetric matrix of 
biquadratic forms A(x, y) = (Aij) such that 

2Aij = r]i{P + Q)r]jiP - Q) + 7]i{P - Q)rij{P + Q) . 

The following result lets us compute A from B rather easily. We assume that B 
has been scaled so that -644(0, 0, 0, 1; 0, 0, 0, 1) = 1 and A has been scaled so that 
An(l, 0,0,0; 0,0, 0,1) = 1. 

Lemma 6.1. Let x be coordinates of the image of P E PicJ; on JC* , and let y, z 
be coordinates of the images of Q,Re J onK. Then, considering x, y, z as row 
vectors, 

^B{y,z)^'^ = zA(x,y)z^. 
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Proof. Both sides are triquadratic forms in x, y,z. Using the duahty property 
mentioned above, it can be checked that each side vanishes if and only if 

P E C ± Q ± R for some choice of signs. 

This imphes that both sides are proportional, and since they take the same value 1 
at X = (1,0,0,0), y = z = (0,0,0,1), they must be equal (since there are no 
quadrics vanishing on either of the two surfaces). □ 

So in order to find A, we construct the polynomial on the left hand side and 
interpret it quadratic form in z. 

On the Kummer surface, we can use B to find the image of P + Q if the images of 
P, Q and P — Q are known. This is known as 'pseudo-addition' (see [' ' ]) and can 
be extended to the computation of images of linear combinations aiPi + - ■ ■ + amPm 
if the images of the 2"* points eiPi + ■ ■ ■ + emPm are known, where ej G {0, 1}. It 
should be noted that the complexity of this procedure in terms of pseudo-additions 
is 2*^ times the bit-length of the coefficients, so we should not use it to compute 
linear combinations of many points. One important feature of this is that it works 
with projective coordinates and is therefore well-suited for p-adic arithmetic with 
fixed precision. 

In a similar way, we can compute the image of P + aiPi + ■ ■ ■ + a^Pm on the dual 
Kummer surface, if P G PicJ; and Pi, ... , P^ G J. We need to know the images of 
P + eiPi + ■ ■ ■ + emPm (with ej G {0, 1}) in addition to eiPi + ■ ■ ■ + emPm, and in 
the pseudo-addition step, B is replaced with A. The remark on complexity applies 
here as well. Below, we will take generators of the successive quotients Ki^i/Ki 
as the Pj] in most cases, this quotient is isomorphic to a subgroup of (Z/pZ)^, so 
that m < 2. 

The following lemma tells us how to find the subset of ^(Qp)/^"(Qp) of elements 
such that the corresponding cosets of /"(Qp) meet the image of the curve. 

Lemma 6.2. Let Pq G C(Qp), and let Q G t/"(Qp). If we normalize the coordi- 
nates (?7i : ri2 ■ : rj^) of the image of Pq + Q on /C* so that the minimal p-adic 
valuation is zero, then 

Proof. Let P be the image on JC* of Pq G C(Qp). If we make an invertible co- 
ordinate change over Zp on the that C maps to, then this induces an invert- 
ible coordinate change over Zp on the ambient projective spaces of /C and of JC*, 
which leaves the valuations of tjiT]^, — rjl and of rj^ invariant. We can therefore 
assume without loss of generality that the point on the curve is at infinity. Then 
P = (1 : : : 0). 
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Since Q G J^{Q.p), its image on /C has coordinates of the form 

Denote the coordinates of the images of Pq ± Q on IC* by (r^i : r]2 '■ Vs '■ ^4) 
and {rj'i '■ ri2 '■ v's '■ v'a) ■ H we evaluate the entries of the matrix A at the coordinates 
of P and Q, then by the definition of A we have (with suitable scaling) 

2A{P,Q) = im,V2,V3,V4V {v'i,V2,V3,Va) + iv'i,V2,V3,v'4V (?7i,?72,?73,?74) ■ 
We obtain 

Wi = >l(^,Q)ii = lniodp2", 
so that we can scale the coordinates to have 

r)i = r)[ = l mod p^" . 

We then find that 

r]4 + V4 = 2^(^, (3) 14 = mod p^" and 7/47/4 = A{P, Q)44 = mod p^" ; 
this implies that 

774 = ?74 = mod p^" . 

All entries in A(P,Q), except An, have valuation at least 2n. It follows in a 
similar way as above that 

r]2,r]2,m,v'z = modp" 

and therefore that 

Vm -rii = r][r]s -rj'^^ = mod p" 
as claimed. □ 

Recall that we have fixed an embedding l : C J, given by some rational divisor 
(class) of degree 1 on C. This induces an isomorphism t : Pic^ ^ J. So in 
order to test whether an element of J{Q)/Kn is in the image of C{Qp), we map a 
representative in J(Q) to Pic^ via l^^ and then to the dual Kummer surface, and 
check whether the normalized coordinates of the image satisfy 

VpiVi) ^ 271 and Vpijjirj^ — rj^) > n. 

Note that we can compute the image on the dual Kummer surface if we know the 
images of CiPi + ■ • ■ + emPm on /C and on K* , where the Pj are representatives of 
generators of J{Q)/Kn (with ej G {0, 1}). 

If we proceed as just described, then we need to enumerate J{Q)/Kn (of size ap- 
proximately p^") in order to find the image of C, which is of size approximately p". 
We can make several improvements in order to reduce the complexity to some- 
thing closer to the lower bound of 0(p"). One improvement is to compute the 
images successively for 7i = 2, 3, . . . . When we go from 7i = 7?T.to7i = 7n-|-l, we 
only have to consider group elements that map into the image of the curve on the 
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previous level; there will usually be of these for each of the roughly elements 
in the previous image. This gives a complexity of for this step, and a total 
complexity of ^ziP"'- This is still worse by a factor of p^/ip — 1) than what we 
would get if we could compute the images of points in C(Qp) in J(Qp)/J"(Qp) 
directly, but it is reasonably good for applications. 

We can further improve on this in many cases. Let P G J{Q) such that its image 
on /C* satisfies Vp{r]ir]3 — rjl) > m as above. We work in an affine patch of /C* 
such that the image of P has p-adically integral coordinates and write h{P) for 
the function 771773 — r/l, evaluated at P in terms of these affine coordinates. The 
theory of formal groups implies that the map 

J™(Qp) ^ , g ^ p"'"(/i(p + g) - h{P)) mod p 

is linear, with kernel containing J™''''^(Qp). This gives us a linear form ^rn '■ 
Km/Krn+i Fp. If im IS uouzcro, then we only need to evaluate it on a generating 
set of Km/ Km+i in order to find the points Q e Km such that Vp{h{P+Q)) > m+1. 
Since Km/Km+i usually has two generators, this gives a complexity of order 
(2 + for each of the roughly p^ points P, we have to evaluate ^m on the two 

generators and then compute the (usually) p lifts to the next level. Note that the 
linear form is nonzero on J'"(Qp)/J™'''^(Qp) if and only if the reduction mod p 
of the image of P on /C* is nonsingular. This is the case unless p = 2 or the 
corresponding point in C(Fp) has vanishing ^/-coordinate. So if p is an odd prime 
such that the polynomial defining C is not divisible by p, there will be at most six 
'problematic' classes mod p, contributing at most Qp^ to the complexity at each 
step. The overall complexity is therefore 0(p") for such primes, which is of the 
order of the obvious lower bound. 

7. Implementation 

In this section, we describe a concrete implementation of the Mordell-Weil sieve 
on genus 2 curves that can be used to prove that a given curve does not have a 
rational point. For this implementation, the MAGMA computer algebra system [M] 
was used. Our implementation is available at [BS3]. 

We assume that we are given as input 

(1) the polynomial f{x) on the right hand side of the equation = f{x) of 
the curve C, 

(2) generators of the Mordell-Weil group J(Q), where J is the Jacobian variety 
of the curve, and 

(3) a rational divisor D of degree 3 on the curve. 

The latter is used to provide the embedding l : C J, which is given by sending 
a point P G C to the class of P + W — D, where ly is a canonical divisor. 
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Elements of J(Q) can be represented by divisors of degree 2, and divisors can be 
represented by pairs (a, b) of polynomials as in Section 5 above. We let r denote 
the rank of J(Q). 

In the first step, we have to provide the necessary input for the actual sieving 
procedure. This means that we have to determine the group structure of J(Fp), 
the reduction homomorphism (pp : J(Q) — >■ J(Fp), and the image of C(¥p) in J(¥p) 
in terms of this group structure. This involves the computation of r + 1 + #C (¥p) 
discrete logarithms in the group J(Fp), where r is the Mordell-Weil rank and t 
is the number of generators of the torsion subgroup of J(Q). The first r + t of 
these are needed to find 0p, and the others are needed to find the image of C(¥p) 
in J(Fp), represented by the abstract group Gp. If we restrict to primes p such 
that 7^J(Fp) is S-smooth, then we can use Pohlig-Hellman reduction [PH] for 
the computation of the discrete logarithms, so that the complexity of this step 
is about r + t + ^C(¥p) (assuming B is fixed). The total effort required for the 
computation in the first step is therefore 

^ (r + t)#5 + ^#C(Fp) ^ {r + t)4fS + J2p- (r + t + ^ max . 

pes pes 

In the last estimate, we have made the simplifying assumption that the primes 
in S are distributed fairly regularly, so the factor | will not be completely accurate. 
The point is that this is essentially quadratic in or maxS*. So the relevant 
question is how far we have to go with max S in order to collect enough information 
to make success likely. 

A reliable theoretical analysis of this question appears to be rather difficult, al- 
though one could try to get some information out of an approach along the lines 
of Poonen's heuristic [Po]. Therefore we use the following approach. We compute 
the relevant information for each prime p (such that 7^ J(Fp) is 5-smooth) in turn. 
Then we compute the numbers n{S, Ni_i_r-j) for j = 0, 1, 2, 3 in the notation of 
Section 3.1, where S is the set of primes used so far. This can be done incremen- 
tally, caching the values of #C7v,p/#(Gp/A^Gp) for later use (they only depend on 
the gcd of and the exponent of Gp), and does not cost much time. We stop this 
part of the computation when 

mmn{S, Ni^i^r-j) < £ 
j 

for a given parameter e <^ 1. Tests performed with the 'small curves' from [BSl] 
indicate that e = 0.01 is a reasonable choice and that B = 200 leads to good 
results. Figure 2 shows the dependence of n{S, Ni_i_r-j) from maxS" in a fairly 
typical example (of rank 3). 

We include the computation of 'bad' and 'deep' information (as described in Sec- 
tions 5 and 6 above) as we go along. We let n = 2, 3, 4, ... , and when n = p is a 
prime, we compute information mod p if p < 10, or p < i? and the given model 
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\og:on{S,Nit^ri) 




Figure 2. Expected sizes n{S, Ni^i^r-j) versus max 5* 



of C is regular at p such that C/¥p has only one component, or p is a prime of 
good reduction and #J(Fp) is 5-smooth. If n = p'' is a prime power p^, then we 
compute information mod p"^ with m = (f + l)/2 if f is odd. This scheme proved 
to give the best performance with our implementation. It hits a good balance 
between the effort required to compute the information (which is much greater 
than for 'flat' and 'good' information at primes q ~ p"^) and the gain in speed 
resulting from the additional information. The information mod p"^ is therefore 
computed in the following order. 

p"" = 2, 3, 5, 7, 2^ 11, 13, 17, 19, 23, 3^ 29, 31, 2^ 37, . . . 

After the information has been collected, we compute a 'g sequence' as described 
in Section 3.2, using a target value of ei with e < ei < 1. We take ei = 0.1 as the 
standard value of this parameter. Since ei > e, we know from the first part of the 
computation that a suitable sequence exists. If we take ei not too close to e, this 
second part of the computation is usually rather fast. 

Finally, we use the collection {(Gp, 4>p, Cp) : p & S} and the q sequence as input for 
the actual sieve computation. This computation is done as described in Section 3.3. 
If it does not result in the desired contradiction, we divide the e and Si parameters 
by 10 and start over (keeping the local information we have already computed). 
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8. Efficiency 

How long do our computations take? Let us look at the various steps that have 
to be performed, in the context of the first application discussed in Section 4 
above: verifying that a given curve C of genus 2 over Q does not have rational 
points. We assume that a Mordell-Weil basis is known. Note that in practice, 
the part of the computation that determines this Mordell-Weil basis can be rather 
time-consuming, but this is a different problem, which we will not consider here. 
See [St2, Stl, St3] for the relevant algorithms. We also assume that we know a 
rational divisor of degree 3 on C . Again, it might be not so easy to find such a 
divisor in practice. 

We consider the 1447 curves for which we had to perform a Mordell-Weil sieve 
computation in [BSl] in order to rule out the existence of rational points. The 
difference to the 1492 curves mentioned earlier comes from the fact that some 
curves had rank zero, and some others could be ruled out immediately by the 
information coming from the Birch and Swinnerton-Dyer conjecture. The timings 
mentioned below were obtained on a machine with 4 GB of RAM and a 2.0 GHz 
dual core processor. As before, r denotes the Mordell-Weil rank. 

Among the 521 curves with r = 1, there are 514 such that we already obtain a 
contradiction while collecting the information. This occurs when we find a prime p 
or prime power such that the images of J(Q) and of C{'L/p'^'L) in J{'L/p'^'L) 
are disjoint. It is perhaps worth noting that without looking at 'bad' and 'deep' 
information, we obtain this kind of immediate contradiction only for 406 curves. 
The average computing time for a single curve was about 0.1 seconds, and the 
longest time was about 6.3 seconds. The distribution of running times is shown 
in Figure 3 (on a logarithmic scale). 

The anonymous referee asked whether there is a heuristic explanation for the 
observation that information at one prime is almost always enough to rule out 
rational points. Here is an attempt at such an explanation. We use the following 
probabilistic model. We assume that J(Fp) is cyclic of order uniformly distributed 
in an interval around p^ of length x p^/^, that the generator Pq of <^(Q) (which we 
assume to be torsion-free of rank one) is mapped to a random element of J(Fp) 
and that the points in C(Fp) form a random subset of J(Fp). We are interested 
in the probability that C(Fp) and the image of J(Q) in J(Fp) are disjoint. Note 
that the case when J{¥p) is cyclic is the worst case; if Ji^p) is not cyclic, then the 
cyclic image of J(Q) will be more likely to be small. 

Lemma 8.1. In the model described above, the probability that C{¥p) does not 
meet the image of J{Q) is ^ 1/p. 

Proof. Let n = p"^ + 0{p^^'^) be the order of J(Fp), denote the index of the image 
of J(Q) in J(Fp) by d, and let m = p + 0{p^'^) denote #C(Fp). Then the 
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Figure 3. Running times for r 



conditional probability, given that the index is > 2, is 

(n-n/d\ m-l ^ 
fc=0 



(Id 



m— 1 

expf^lo; 



exp 



A:=0 
1 



d{l - A;/n) 
1 

- k/n) 



dt 



d Jq I — t/n 



+ 0{d 



-- + 0{d-^) + 0{pd 



= exp 
0{pd-^ 



m—l 

^ - A;/n) 



+ 0{pd 



-2- 



Here 0(c/ ^) denotes a quantity that is bounded by a constant times d ^, and 
0{pd~~'^) denotes a quantity that is bounded by a constant times pd'"^ for large p. 

We restrict to the range ap < d < (3p with fixed < a < /5. Then 

We now have to estimate the probability that d has a given value d^ in the range 
under consideration. Fix a generator Q of J(Fp) and write Pq = k ■ Q, where Pq 
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is the image of Pq in J(¥p). Then the probabihty is 

4^{{n,k) : < k < n = + ©(p^/^), gcd(n, k) = do} 



Pr((i = do 



#{(n, k) ■.0<k <n = p'^ + 0(p3/2)} 



6 -l/2+e^ 



(l + 0(j)- 



So the total probabihty can be bounded below by 



ap<do<Pp oip<do</3p ^ 



6 
6 

















e'^^du 







^l/2+£^ 



_(e-i//3_e-i/a) +0(^-3/2+.^ 



6 

Letting a — > and /3 — oo, we obtain 

liminf p ■ Pr(C(Fp) n (Pq) = 0) > 4 



□ 



Since the cases with do ^ p and do ^ p are likely not to contribute anything in 
the limit, we would expect that in the model considered, we actually have 

Pr(C(Fp) n (Po) = 0) ~ ■ - as p ^ oo. 

Since X]pP"^ diverges, we expect an infinite (but rather sparse) set of primes p 
such that information mod p proves that there are no rational points. This is 
consistent with the observations mentioned above. Figure 4 shows p times the 
fraction of curves in our data set where reduction mod p proves the absence of 
rational points among all curves with r = 1 and trivial torsion that have good 
reduction at p, as a function of 2 < p < 100. We see that (except for p = 3) 
this value is considerably larger than G/vr^. The most likely explanation is that 
this is an effect of the occurrence of non-cyclic groups among the J{¥p). This is 
confirmed by the data obtained from only looking at cases where J{¥p) is cyclic 
(green in the figure). 

In general, a similar heuristic approach should give a success probability of the 
order of when the rank is r. This indicates that there is a positive probability 
for success at some single prime, but this probability is less than 1 and decreases 
to zero as r increases. This is consistent with the observations described below. 
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Figure 4. p times success frequency at p versus p 



There are 772 curves with r = 2. For 394 among them, we obtain a contradic- 
tion from one prime or prime power alone. The average computing time for these 
curves was 0.24 seconds with a maximum of 6.4 seconds. For the remaining curves, 
the average total computing time was 4.9 seconds, with a maximum of 51.8 sec- 
onds. The distribution of the running times (overall and for the various parts of 
the computation) is shown in Figure 5. The two peaks essentially correspond to 
the two groups of curves. The largest size of a set AiV) that occurred in the com- 
putation was 236, the average of this maximum size in each computation was 6.1. 
Note that the inclusion of 'bad' and 'deep' information results in a speed-up by 
roughly a factor two. 

There are 152 curves with r = 3. For 14 curves, we still find a contradiction from 
the local information at one prime alone. The average total time was 34.3 seconds, 
the maximum was about 5.6 minutes. The first step took 28.1 seconds on average. 
For the curves where the second and third steps were performed, the second step 
took 2.3 seconds and the third step 4.6 seconds on average. The distribution of 
the running times (overall and for the various steps) is shown in Figure 6. The 
largest size of a set A[V) was 251 148 (occurring for the curve with the largest 
running time), the average was 5049. For these curves, the computation is infea- 
sible without using 'bad' and 'deep' information, since otherwise the sets A[V) 
occurring in the last part of the computation get much too large. 
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There are only two curves with r = 4. One of them is 'hard' and the other one 
is 'easy'. For the 'hard' curve, the computation takes about 26 minutes with the 
standard settings (ca. 2 min for the first step, 10 seconds for the second and the 
remaining 24 min for the sieving step). This is mostly due to the large size of the 
sets A{L) (up to more than 2 million) occurring in this computation. If we change 
the parameters so that deep information mod is used for all p" < 520, then the 
computation takes less than 12 minutes (3 min, 10 sec, 8.5 min), and the largest 
set A[L) has size only about 750 000. The 'easy' curve is dealt with in 47 seconds 
(44.5 sec, 2 sec, 0.5 sec) using the standard settings. 



From these data, we conclude that our current implementation works well for 
curves with Jacobians of Mordell-Weil rank r < 3. For larger rank, there is so 
far only sparse evidence from examples, suggesting that individual curves with r 
as large as 6 are still within the range of feasibility. In any case, it is clear that 
average running times increase quickly with r. 

Our timings also show that the first part of the computation (gathering the local 
information) usually takes the lion's share of the total time. Improvements in this 
part (and faster discrete logarithm computations in particular) would result in a 
noticeable speedup of the procedure whole. 
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Figure 6. Running times for r = 3 
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